Foreign Businesses Flee US Cloud Computing, Survey Finds

Concerns about NSA surveillance driving some Canadian and UK companies to take their cloud computing business abroad.

Top 10 Cloud Fiascos

(click image for larger view)

Fully a quarter of businesses are moving data out of the US as a result of revelations about the scope of data gathering by the US National Security Agency, claims Canada-based cloud hosting provider PEER 1 Hosting.

Some qualifications apply: The survey behind the company's assertion doesn't cover 25% of all businesses. It describes findings from a 10-minute survey of 300 small companies -- 250 employees or less -- based in the UK and Canada.

When the sample is confined to just Canadian companies, 33% say they plan to move data out of US datacenters. Evidence of that exodus isn't extensive: PEER 1 was able to point to one client, iDigital, that has been dealing with data flight.

Matt McKinney, managing director of iDigital, an 85-person cloud hosting provider based in British Columbia, Canada, said in a phone interview that privacy is particularly important to Canadians, noting that the country has been aggressive in dealing with online privacy through its regulatory agencies.

McKinney said customers began asking where iDigital's servers were housed two or three years ago, when concern about the implications of the US Patriot Act became more widespread. The NSA revelations last year, he said, "were the straw that broke the camel's back. Eight out of 10 questions from customers now deal with governance, compliance, and data storage."

During the past 12 months, McKinney said, a substantial number of iDigital's 18,000 customers have been moving data that had been housed in Dallas, Texas, to north of the border, despite the costs being slightly higher. He estimated that the company is handling 10 to 15 migrations a week and claimed that other hosting companies like HostGator and Rackspace have seen customers move north.

Acknowledging that data may be sought by authorities in Canada, as it is in the US, McKinney suggested that Canadian companies, because of the cultural importance of privacy in the country, would be more likely, and better able, to resist overly expansive demands for information than companies in the US.

"Companies like Microsoft and Google just don't have the option to say, 'No, I won't give it to you,' because of the Patriot Act," he said.

(In fact, US companies do have the option to resist, but may be forbidden under the Patriot Act from disclosing demands for information or legal filings in opposition of said demands. The extent to which the US judical branch sees a legal basis for opposing demands for access made under the mantle of national security is another matter.)

PEER 1's survey finds that despite rising mistrust, the US continues to be the most popular place for companies to host data (51%) outside of their home countries. That suggests the perception that data insecurity is at least as bad outside the US. A Der Spiegelreport says that the NSA has a lengthy catalog of exploits with which to compromise commercial IT gear, so it appears that the only secure computing device is an abacus muffled in a black bag. Presumably, every national intelligence agency with even a modicum of ambition aspires to total information awareness.

There's little doubt that the ongoing reports about the NSA's reach and methods, based on documents leaked by former NSA contractor Edward Snowden, have provoked anger, frustration, and calls for reform among companies, legal experts, security professionals, and lawmakers around the globe.

In fact, PEER 1's survey aligns with warnings from other groups with perhaps less of a vested interest in such findings. The Information Technology and Innovation Foundation (ITIF), a technology think tank, projected last August that US cloud computing providers would eventually lose 20% of the foreign market to competitors. In dollar terms, it projected losses as high as $35 billion by 2016.

The ITIF based its projection on a July 2013 Cloud Security Alliance survey. It relied on 456 responses to an online survey, 234 from the US and 222 from other countries.

Daniel Castro, an analyst at the ITIF, said in an email that PEER 1's findings are on the high end of what he'd expect. He said his organization's previous estimate assumed no more than a 5% drop in foreign companies buying cloud computing services in the first year.

While noting that that value of cloud contracts with small businesses isn't easily compared to what medium and large companies buy, he said that PEER 1's findings support the ITIF estimate and indicate that policymakers should be paying attention to the issue.

But Castro said the US government has failed to respond adequately to the economic impact of its intelligence operations. "US companies are at an unfortunate disadvantage and the intelligence community has done little to remedy this situation," he said. "The policies that led to this situation have not changed and are currently in direct conflict with the economic strategy of the nation which is to promote a level playing field for US companies abroad."

Thomas Claburn is editor-at-large for InformationWeek. He has been writing about business and technology since 1996 for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television. He's the author of a science fiction novel, Reflecting Fires, and his mobile game Blocfall Free is available for iOS, Android, and Kindle Fire.

Can the trendy tech strategy of DevOps really bring peace between developers and IT operations -- and deliver faster, more reliable app creation and delivery? Also in the DevOps Challenge issue of InformationWeek: Execs charting digital business strategies can't afford to take Internet connectivity for granted.

While I absolutely understand the hestitation of companies to leverage US based cloud services due to the fear around the NSA leaks, the reality is that sadly a lot of the more established cloud providers are US companies. That being said, this means it is a great opportunity for startups in the UK and Canada to start to build competitive services to meet the needs of the market. The only downside is that funding for these startups is very scarce, especially in Canada. So we are just not seeing the innovation and startup pool that we would like.

As for the figures themselves, its always going to be need to be taken with a grain of salt. These are projected "poor us, this is how much we are hurting" but the reality is that the market itself might have slowed down. If indeed these services are being avoided, the subscriptions must be going somewhere else. I'd be curious to see if there is a revenue shift geographically for cloud providers as a result. That will be the true test.

Other countries, particularly Germany, UK and France, have laws on the books like the Patriot Act but they are not so foolish as to trumpet them as the work of patriots. They are special provisions buried in existing laws or given much more non-descript names. In the Netherlands, for example, the government's power to snoop is in Artical 2: 2(b) of the Personal Data Protection Act. America, home of the golden arches, doesn't hide its sins of excess behind a veil. See, "Is Cloud Computing A Global Market Yet? Nyet." http://www.informationweek.com/cloud/infrastructure-as-a-service/is-cloud-computing-a-global-market-yet-nyet/d/d-id/1102970 On the other hand, Canada continues to develop stronger and stronger indigenous cloud service suppliers, like CentriLogic in Toronto. See http://www.informationweek.com/cloud/software-as-a-service/6-cloud-upstarts-to-watch/d/d-id/1113287

These figures sound overblown. And even if they're indicative, one has to wonder whether pulling out of the US is a realistic answer -- and for that matter, whether there are really any safe data havens in the world. The laws on data sovereignty from country to country are a mess, and likely to remain in flux, as Daniel Castro, quoted in this article, discovered in preparing a report he and the ITIF released recently. The report called for a "Geneva Convention" to address the complex maze of data laws that affect growth of cloud computing and global trade. (You can read more at Tangled Data Protection Laws Threaten Cloud, Critics Say).

The author does a good job of showing the weaknesses of this research, so I wouldn't jump to too many conclusions based on it. What's I'd like to see is a comprehensive, truly international study on this subject.

This is precisely why I don't use my Facebook account or even have a Twitter account. If my correspondence contains anything that needs to be secure, I use snail mail. I will NEVER use cloud computing for any reason. If there comes a time when that is all that is available, I guess I'll just retire my internet connection and go dark. Security promises mean nothing in this time of data overload.

Now, we can't even trust our own government. I admit that I am an old man. I still have my original Social Security card that I got when I was in the 8th grade so that I could get work with a work permit. The government (OUR government) printed the following on the bottom of ALL Social Security cards back then: "For Social Security and Tax Purposes Only - Not For Identification". They had promised my parent's generation that no citizen of the United States would ever be given a universal identification number as Germany had done. We all can see how that has worked out.

Is there any good reason to believe the NSA doesn't also have its fingers in data centers outside of the U.S., with or without the operators knowledge? The agency's mission is supposed to be connecting signals intelligence from around the world, is it not?

Software as a service is the clear No. 1 way enterprises consume cloud. InformationWeek's SaaS Innovation Survey reveals three tips to get the most from SaaS: Make it a popularity contest. Have an escape plan. And remember that identity is the new perimeter.